Shai-Hulud 2.0 Supply Chain Attack

Shai-Hulud 2.0 Supply Chain Attack: More Than 25,000 npm Repositories Exposed www.wiz.io/blog/shai… Detect and mitigate malicious npm packages linked to the latest Shai-Hulud–style supply chain campaign. More than 25,000 repositories across approximately three hundred fifty unique users have been affected. Popular projects from Zapier, ENS Domains, PostHog, and Postman were trojanized, resulting in GitHub repositories being populated with stolen victim data. Several of these packages are widely used, appearing in roughly twenty-seven per cent of cloud and code environments scanned by Wiz. Wiz Threat Research and Aikido have confirmed that the trojanized npm packages were uploaded between Nov. 21 and Nov. 23, 2025. Once installed, the malware exfiltrates developer and CI/CD secrets to GitHub repositories containing descriptions referencing Shai-Hulud. Update – Nov. 24, 19:00 UTC: Wiz Research confirms cross-victim exfiltration. Secrets from one victim are being uploaded to public repositories owned by a second, unrelated victim, and this behaviour has been repeatedly observed. GitHub is actively removing attacker-created repositories linked to this campaign, but the attacker continues creating new repositories as the activity persists.